Search this Blog

Monday, November 15, 2010

How to connect to Internet through 1 interface and Vpn through another interface?

We are trying to setup a environment where we want Vlans 1 and 2 to communicate with each other through inter-vlan routing. Vlan 2 should be accessed through the VPN tunnel on the from the other end. These should however be no access to Vlan 1 through the vpn tunnel. Finally we want both vlan 1 and vlan 2 to connect to the internet through another interface of the router.

R1 Se 0/0 1.1.1.1

R2 Se0/0 is 1.1.1.1

R1 Se0/1 2.2.2.2

R3 Se0/0 2.2.2.1

We have managed to implement ipsec vpn between R1 and R2 and access to Vlan 2 from R2 is working fine and there is no access to Vlan 1 from R2. However we are not able to connect to the internet from Vlan 1 and Vlan 2. Any suggestions welcome

This is the config

R1#sh run

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp key cisco address 1.1.1.2

!

!

crypto ipsec transform-set TXRX esp-3des esp-md5-hmac

!

crypto map MAP 1 ipsec-isakmp

set peer 1.1.1.2

set pfs group2

set transform-set TXRX

match address 101

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.1.6.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 10.2.16.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 1.1.1.1 255.255.255.0

crypto map MAP

!

interface Serial0/0/1

ip address 2.2.2.2 255.255.255.0

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 10.10.10.0 255.255.255.0 1.1.1.2

!

access-list 101 permit ip host 10.2.16.2 10.10.10.0 0.0.0.255

access-list 102 permit udp host 1.1.1.2 any eq isakmp

access-list 102 permit esp host 1.1.1.2 any

!

End

R2 Config

R2#sh run

hostname R2

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp key cisco address 1.1.1.1

!

!

crypto ipsec transform-set TXRX esp-3des esp-md5-hmac

!

crypto map MAP 1 ipsec-isakmp

set peer 1.1.1.1

set pfs group2

set transform-set TXRX

match address 101

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

ip address 1.1.1.2 255.255.255.0

clock rate 1000000

crypto map MAP

!

!

ip classless

ip route 10.2.16.0 255.255.255.0 1.1.1.1

!

!

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.2.16.0 0.0.0.255

access-list 102 permit udp host 1.1.1.1 any eq isakmp

access-list 102 permit esp host 1.1.1.1 any

end

R3 config is

R3#sh run

Building configuration...

hostname R3

interface Serial0/0/0

ip address 2.2.2.1 255.255.255.0

clock rate 1000000

end

R3#

access-list 101 permit ip host 10.2.16.2 10.10.10.0 0.0.0.255?

Even if we configure L3 to perform inter-vlan routing how will traffic be passing from the lan to the internet and for vpn connectivity. What will happen to the already existing acl 101 which is responsible for vpn traffic.

Tips:

Well you are using 10.x.x.x addressing and you have no NAT setup so none of your addressing will be routable on the Internet.You need -

fa0/0.1

ip nat inside

fa0/0.2

ip nat inside

s0/0/1

ip nat outside

access-list 101 permit ip 10.1.6.0 0.0.0.255 any

access-list 101 permit ip 10.2.16.0 0.0.0.255 any

ip nat inside source list 101 interface s0/0/1 overload.

You should use an unused acl number for the NAT, between 100 - 199.

It's not changing to L3 inter-vlan routing on the switch would make it work, it's just that if you have a L3 switch in your network it's usually better to use it for it's intended purpose. If the amount of traffic between vlan 1 and vlan 2 is not that much then you can stick with what you have but L3 switches provide much better throughput generally than equivalent routers so the interface on the router you are using sub interface on could actually become a bottleneck between the 2 vlans.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */